Hi Paul,
you are correct, the NO_PROPOSAL_CHOSEN message did show up immediately
after the algorithms are listed in the log. In the past when I have
seen that it is because the security paramaters are not correct, but I
haven't seen it between two versions of libreswan before, I don't think.
The local side was running .22, so I upgraded that to .29 as well.
That fixed the proposal error and broke connections with all the older
builds, but something still not right. Enough for tonight, will tackle
it again in the morning. But here are the remote logs:
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed
local IKE proposals for computerisms2rrdc (IKE SA initiator selecting
KE):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
(default)
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #1:
STATE_PARENT_I1: sent v2I1, expected v2R1
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed
local ESP/AH proposals for computerisms2rrdc (IKE SA initiator emitting
ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2:
STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2: IKE_AUTH
response contained the error notification TS_UNACCEPTABLE
On 2019-08-11 7:44 p.m., Paul Wouters wrote:
> Seems a misconfiguration. The Notify you receive should contain an indicator, eg NO PROPOSAL CHOSEN or AUTH FAILED
>> Sent from mobile device
>>> On Aug 11, 2019, at 21:45, Computerisms Corporation <bob at computerisms.ca> wrote:
>>>> quick follow up; didn't notice that .29 was available, just tried upgrading it, but getting the same error.
>>>>> On 2019-08-11 6:09 p.m., Computerisms Corporation wrote:
>>> Hi,
>>> I setup a net to net tunnel, following the procedure I normally follow (at least presuming I didn't make a mistake that I can't find), using 3.28. I have patched the code as per
>>>https://github.com/libreswan/libreswan/commit/716f4b712724c6698469563e531dea3667507ceb Which so far has worked in at least 3 other places without issue (that said the barf.in needs to be done manually, the patch does not apply cleanly to that file).
>>> I am getting this in the logs:
>>> Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: no useful state microcode entry found for incoming packet
>>> Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: dropping unexpected IKE_AUTH message containing INVALID_IKE_SPI notification; message payloads: N; missing payloads: SK
>>> Apart from the github page with the code that uses this text, I get no hits on google. I have read the comment in the code and understand that something is messed up, but I am not really clear what this is indicating. Is it a configuration issue? a portion of the code not properly compiled? a certificate problem? The remote end is a very slow DSL connection, maybe that is part of the problem? been going through my regular list of things to try, but not meeting any success yet.
>>> Any clues on a direction for me to go with this?
>> _______________________________________________
>> Swan mailing list
>>Swan at lists.libreswan.org>>https://lists.libreswan.org/mailman/listinfo/swan>